This is very useful for accessing servers behind firewalls. What if you have an database admin panel hosted on one of your servers? You could lock access down to your IP, but what if you have multiple admins, and what if you want to access it from a coffee shop, where your IP would be different?
This is the problem a VPN server solves. Instead of connecting directly, you would instead log on to the VPN server and connect to your private cloud. One thing to note is that the OpenVPN Access Server will make use of port for redirecting traffic to the web interface, hosted on port Get started by downloading the OpenVPN package for your distro.
Grab the link for your package, and download it from the command line with wget :. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations. Assuming you followed the prerequisites at the start of this tutorial, you should already have ufw installed and running on your server.
Before opening the firewall configuration file to add the masquerading rules, you must first find the public network interface of your machine. To do this, type:. For example, this result shows the interface named eth0 , which is highlighted below:. UFW rules are typically added using the ufw command. Rules listed in the before. Towards the top of the file, add the highlighted lines below.
Next, you need to tell UFW to allow forwarded packets by default as well. Next, adjust the firewall itself to allow traffic to OpenVPN. In case you forgot to add the SSH port when following the prerequisite tutorial, add it here as well:.
Note : If you are using a different firewall or have customized your UFW configuration, you may need to add additional firewall rules. If there are other protocols that you are using over the VPN then you will need to add rules for them as well. Your server is now configured to correctly handle OpenVPN traffic.
With the firewall rules in place, we can start the OpenVPN service on the server. OpenVPN runs as a systemd service, so we can use systemctl to manage it.
To do this, enable the OpenVPN service by adding it to systemctl :. Double check that the OpenVPN service is active with the following command. You should see active running in the output:.
Rather than writing a single configuration file that can only be used on one client, this step outlines a process for building a client configuration infrastructure which you can use to generate config files on-the-fly. Get started by creating a new directory where you will store client configuration files within the client-configs directory you created earlier:. Next, copy an example client configuration file into the client-configs directory to use as your base configuration:.
Inside, locate the remote directive. If you decided to change the port that the OpenVPN server is listening on, you will also need to change to the port you selected:.
Next, uncomment the user and group directives by removing the ; sign at the beginning of each line:. Find the directives that set the ca , cert , and key. Comment out these directives since you will add the certs and keys within the file itself shortly:.
Similarly, comment out the tls-auth directive, as you will add ta. Next, add the key-direction directive somewhere in the file.
The first set is for clients that do not use systemd-resolved to manage DNS. These clients rely on the resolvconf utility to update DNS information for Linux clients. Now add another set of lines for clients that use systemd-resolved for DNS resolution:.
Later in Step 13 - Installing the Client Configuration step of this tutorial you will learn how to determine how DNS resolution works on Linux clients and which section to uncomment. This script will make a copy of the base. The benefit of using this method is that if you ever need to add a client in the future, you can run this script to quickly create a new config file and ensure that all the important information is stored in a single, easy-to-access location.
Please note that any time you add a new client, you will need to generate new keys and certificates for it before you can run this script and generate its configuration file. You will get some practice using this script in the next step. If you followed along with the guide, you created a client certificate and key named client1. This will create a file named client1. You need to transfer this file to the device you plan to use as the client.
For instance, this could be your local computer or a mobile device. This will copy the client1. Here are several tools and tutorials for securely transferring files from the OpenVPN server to a local computer:. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to your device.
The OpenVPN connection will have the same name as whatever you called the. In regards to this tutorial, this means that the connection is named client1. Choose the appropriate installer version for your version of Windows. Note : OpenVPN needs administrative privileges to install. To do this without having to right-click and select Run as administrator every time you use the VPN, you must preset this from an administrative account.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator. Click Yes. This opens the context menu. A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded. Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. Answer I have configuration files and let Tunnelblick finish. Open a Finder window and double-click client1. Tunnelblick will install the client profile. Administrative privileges are required.
Launch Tunnelblick by double-clicking the Tunnelblick icon in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections.
Click on the icon, and then the Connect client1 menu item to initiate the VPN connection. If you are using Linux, there are a variety of tools that you can use depending on your distribution.
Your desktop environment or window manager might also include connection utilities. If your system is configured to use systemd-resolved for DNS resolution, the IP address after the nameserver option will be There should also be comments in the file like the output that is shown that explain how systemd-resolved is managing the file. If you have a different IP address than To support these clients, first install the openvpn-systemd-resolved package.
If your client includes the update-resolv-conf file, then edit the OpenVPN client configuration file that you transferred earlier:. Next, we will have to give it a descriptive name, whatever we want, and the configuration must be as follows:. If we have a certificate with a duration of more than days, it is possible that it will give us errors on some platforms, this is in a general way, but not for OpenVPN. Therefore, we can put the duration that we want without problems, it will not give us failure.
Once created, we will see it in the list of certificates, in addition, we can also see the CA with which we have signed the certificate and if it is of the server type. This digital certificate for the server is the one that we will have to put when configuring the OpenVPN server in pfSense, we must remember very well the name that we have given it, because later it will take us a list with all the certificates.
To create one or more digital certificates for clients, we must do exactly the same process as for the server certificate. If we click on edit, the only thing we can do is modify the descriptive name, but we can also export the private key with a passphrase, if we put a password, the private key itself will be encrypted with AESCBC to protect its content, and, therefore, avoid that if it falls into the wrong hands they can read and use it.
If we want to create more customer certificates we can do it in the same way, all we have to do is put a different description and also a different CN. Once we have finished creating all the certificates of the clients that are going to connect to the OpenVPN server, we proceed to configure the server step by step. In «Ping Settings» we can configure the pings to see if a client is still connected or has lost connectivity.
Another configuration that we can make regarding the routes is that, instead of forcing all clients to send all traffic through the VPN tunnel, we can define that we can only access certain networks, the ones we want, and automatically the clients they will receive the routes to these networks.
Once we have configured the OpenVPN server, we are going to configure the firewall to allow incoming connections. If we want to create specific rules to deny traffic to certain subnets, then we will have to create rules that meet this condition. Once we have access from the Internet WAN, and also to any subnet of the operating system and redirection to the Internet, we are going to export the OpenVPN configuration file for the clients.
Now, when using the private key to connect to the server, we will have to enter this password that protects the certificate.
0コメント